[Date Prev][Date Next] [Chronological] [Thread] [Top]
RE: kadmin: kadm5_create_principa: ldap_add_s: Can't contact LDAP server

To: Howard Chu <hyc@highlandsun.com>, openldap-software@OpenLDAP.org
Subject: RE: kadmin: kadm5_create_principa: ldap_add_s: Can't contact LDAP server
From: Lara Adianto <m1r4cle_26@yahoo.com>
Date: Mon, 12 Apr 2004 00:02:17 -0700 (PDT)
In-reply-to: <029f01c41ebc$ddd0f380$1801a8c0@CELLO>
Thank you Howard. It is indeed the problem of path
between ldapsearch and slapd. I also recompiled
heimdal to point to the correct path of slapd. 

Creating the principals seem okay:
[root@localhost libexec]# kadmin -l
kadmin> init LARAS.COM
Realm max ticket life [unlimited]:
Realm max renewable ticket life [unlimited]:
kadmin> ank la
Max ticket life [1 day]:
Max renewable life [1 week]:
Principal expiration time [never]:
Password expiration time [never]:
Attributes []:
la@LARAS.COM's Password:
Verifying - la@LARAS.COM's Password:
kadmin> exit
[root@localhost libexec]#

But, still no luck with ldapsearch. I've tried various
ways to get back my principal:
shell% ldapsearch -L -h localhost -D
cn=manager,ou=KPrincipals,dc=laras,dc=com -w secret -b
 
ou=KPrincipals,dc=laras,dc=com
'objectclass=krb5KDCEntry'

A few doubts:
1. Was the principal creation successful ? What
mechanism is used by openldap to store the data ? If
it is stored using SASL/External like what you said
earlier then it might not be stored properly bec I
haven't figured out SASL/External

2. I understand that SASL/External should be used  for
ldapsearch but will i be able to search for user
credentials using simple bind ?

3. I'm using openldap-2.1.25, do I still need a patch
in order to support SASL/External ?

Regards,
lara

--- Howard Chu <hyc@highlandsun.com> wrote:
> The other poster was mistaken. Since I wrote the
> LDAP Bind code that Heimdal
> uses, I can answer definitively.
> 
> The fact that your slapd and your ldapsearch use
> different default paths for
> an unqualified ldapi:// URL indicates that they are
> not linked against the
> same installation of libldap. You'll need to
> recompile or relink Heimdal
> and/or OpenLDAP to correct the situation, as the
> Heimdal code does not allow
> you to reconfigure its LDAP URL at runtime.
> 
>   -- Howard Chu
>   Chief Architect, Symas Corp.       Director,
> Highland Sun
>   http://www.symas.com              
> http://highlandsun.com/hyc
>   Symas: Premier OpenSource Development and Support
> 
> > -----Original Message-----
> > From: Lara Adianto [mailto:m1r4cle_26@yahoo.com]
> 
> > I'm confused now...
> > I've posted a question 'which mechanism is used to
> > store the principals' credentials in ldap backend'
> on
> > this mailing list a few days ago (see the excerpts
> of
> > the discussion below). And from the discussion, I
> > concluded that it's simple bind.
> >
> > Or maybe I misunderstood what Gemes Geza means.
> Maybe
> > the storing is done with SASL/EXTERNAL mech while
> > searching is done using simple bind ?
> >
> > Anyway, init the database using kadmin still
> results
> > in
> > kadmin: kadm5_create_principal: ldap_add_s: Can't
> > contact LDAP server.
> > # kadmin -l
> > kadmin> init LARAS.COM
> > Realm max ticket life [unlimited]:
> > Realm max renewable ticket life [unlimited]:
> > kadmin: kadm5_create_principal: ldap_add_s: Can't
> > contact LDAP server
> >
> > -lara-
> >
> > Below is the excerpt of the mail:
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Lara Adianto mrta:
> > | Hi Geza,
> > |
> > | Will it work in Linux platform as well ?
> > | I have read the HOWTO on the link you provided
> > actually.
> > | But it doesn't really satisfy me :-)
> > |
> > | kdc#* ldapsearch -L -h localhost -D cn=manager
> \**
> > |  -w secret** -b
> ou=KerberosPrincipals,dc=padl,dc=com
> > \
> > |  'objectclass=krb5KDCEntry'*
> > |
> > | Does it mean that we MUST use simple bind ?
> >
> > Yes, but it is over a 700 mode uid 0 and gid 0
> socket
> > file , so it is
> > not less secure, than accessing a root owned file
> > based kerberos
> > database. Anyway kerberos is a protocol designed
> to
> > solve the problem of
> > some secure hosts connected by an insecure
> network. So
> > if your KDC
> > machine gets compromised anything is lost no
> mather if
> > you are using
> > LDAP or not.
> >
> > | Thank you,
> > | lara
> > | */Gimes_Giza <geza@kzsdabas.sulinet.hu>/* wrote:
> > |
> > | Lara Adianto mrta:
> > | | Hi,
> > | |
> > | | This is probably a basic question but well, I
> > haven't
> > | | got any satisfactory information on the net,
> so I
> > post
> > | | it anyway here.
> > | |
> > | | I read somewhere in the net that using ldap as
> the
> > | | backend of heimdal might degrade the security
> > feature
> > | | of kerberos. Is this right ? If yes, then in
> which
> > | | situation will we prefer to use ldap backend
> > instead
> > | | of the local dbase ?
> > | |
> > | | Using ldap as the heimdal's backend, how would
> the
> > | | search be conducted through ldap ? With simple
> > bind ?
> > | | SASL mechanism ?
> > | |
> > | With proper access control lists defined in ldap
> > configuration the risk
> > | is minimal. The LDAP connection is realized over
> a
> > UNIX domain socket,
> > | so Heimdal and LDAP server must run on the same
> > host.
> > | Recomended reading:
> > | http://www.padl.com/Research/Heimdal.html
> >
> >
> > Cheers,
> >
> > Geza
> > --- Howard Chu <hyc@highlandsun.com> wrote:
> > > Exactly.
> > >
> > >   -- Howard Chu
> > >   Chief Architect, Symas Corp.       Director,
> > > Highland Sun
> > >   http://www.symas.com
> > > http://highlandsun.com/hyc
> > >   Symas: Premier OpenSource Development and
> Support
> > >
> > > > -----Original Message-----
> > > > From: Lara Adianto
> [mailto:m1r4cle_26@yahoo.com]
> > > > Sent: Friday, April 09, 2004 8:46 PM
> > > > To: Howard Chu
> > > > Subject: RE: kadmin: kadm5_create_principa:
> > > ldap_add_s: Can't contact
> > > > LDAP server
> > > >
> > > >
> > > > Hi Howard,
> > > >
> > > > >Furthermore, Heimdal's hdb-ldap backend uses
> > > > >SASL/EXTERNAL so you must be able to verify
> this
> > > > >method using ldapsearch if you want hdb-ldap
> to
> > > > >work.
> > > >
> > > > Does this mean that storing the principal's
> > > > credentials in LDAP backend is done by using
> > > > SASL/EXTERNAL and not using simple bind ?
> > > >
> > > > -lara-
> > > >
> > > > --- Howard Chu <hyc@highlandsun.com> wrote:
> > > > > > -----Original Message-----
> > > > > > From: owner-heimdal-discuss@sics.se
> > > > > > [mailto:owner-heimdal-discuss@sics.se]On
> > > Behalf Of
> > > > > Gimes Giza
> > > > >
> > > > > > Recent openldap client software wants to
> auth
> > > by
> > > > > sasl by
> > > > > > default. Please disble it specifying the
> -x
> > > flag.
> > > > > >
> > > > > > ldapsearch -H 'ldapi:///' -x
> > > > >
> > > > > No.
> > > > >
> > > > > Changing the Bind method will not affect an
> > > "Unable
> > > > > to contact the server"
> > > > > error. Obviously if the client cannot
> connect,
> > > then
> > > > > its choice of Bind method
> > > > > is irrelevant.
> > > > >
> > > > > Furthermore, Heimdal's hdb-ldap backend uses
> > > > > SASL/EXTERNAL so you must be
> > > > > able to verify this method using ldapsearch
> if
> 
=== message truncated ===


=====
------------------------------------------------------------------------------------ 
La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit
                                                                        - Guy de Maupassant -
------------------------------------------------------------------------------------

__________________________________
Do you Yahoo!?
Yahoo! Tax Center - File online by April 15th
http://taxes.yahoo.com/filing.html
References:
- RE: kadmin: kadm5_create_principa: ldap_add_s: Can't contact LDAP server
  - From: "Howard Chu" <hyc@highlandsun.com>
Prev by Date: Re: How do I add librewrite to be linked into back_ldap?
Next by Date: How to use SASL GSSAPI with open ldap?
Index(es):
- Chronological
- Thread